update embedded nginx support for openappsec and bug fixes and schema changes

2025-09-29 19:24:26 +03:00 · 2022-11-16 17:56:41 +02:00
parent 03949a3cb7
commit 8bbd856d92
13 changed files with 90 additions and 48 deletions
--- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h
+++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h
@@ -119,9 +119,9 @@ public:
    load(cereal::JSONInputArchive &archive_in)
    {
        dbgTrace(D_K8S_POLICY) << "Loading AppSec Web Attack Protections";
-        parseAppsecJSONKey<std::string>("csrf-protection", csrf_protection, archive_in, "Inactive");
-        parseAppsecJSONKey<std::string>("error-disclosure", error_disclosure, archive_in, "Inactive");
-        parseAppsecJSONKey<std::string>("open-redirect", open_redirect, archive_in, "Inactive");
+        parseAppsecJSONKey<std::string>("csrf-enabled", csrf_protection, archive_in, "inactive");
+        parseAppsecJSONKey<std::string>("error-disclosure-enabled", error_disclosure, archive_in, "inactive");
+        parseAppsecJSONKey<std::string>("open-redirect-enabled", open_redirect, archive_in, "inactive");
        parseAppsecJSONKey<bool>("non-valid-http-methods", non_valid_http_methods, archive_in, false);
    }

@@ -253,7 +253,7 @@ public:
    {
        dbgTrace(D_K8S_POLICY) << "Loading AppSec Snort Signatures practice";
        parseAppsecJSONKey<std::string>("override-mode", override_mode, archive_in, "Inactive");
-        parseAppsecJSONKey<std::vector<std::string>>("configmap", config_map, archive_in);
+        parseAppsecJSONKey<std::vector<std::string>>("files", config_map, archive_in);
    }

    const std::string & getOverrideMode() const { return override_mode; }
@@ -285,7 +285,7 @@ public:
    {
        dbgTrace(D_K8S_POLICY) << "Loading AppSecPracticeOpenSchemaAPI practice";
        parseAppsecJSONKey<std::string>("override-mode", override_mode, archive_in, "Inactive");
-        parseAppsecJSONKey<std::vector<std::string>>("configmap", config_map, archive_in);
+        parseAppsecJSONKey<std::vector<std::string>>("files", config_map, archive_in);
    }

    const std::string & getOverrideMode() const { return override_mode; }
@@ -777,12 +777,12 @@ public:
        dbgTrace(D_K8S_POLICY) << "Loading AppSec policy spec";
        parseAppsecJSONKey<AppsecPolicySpec>("policies", policies, archive_in);
        parseAppsecJSONKey<std::vector<AppSecPracticeSpec>>("practices", practices, archive_in);
-        parseAppsecJSONKey<std::vector<AppsecTriggerSpec>>("logtriggers", log_triggers, archive_in);
-        parseAppsecJSONKey<std::vector<AppSecCustomResponseSpec>>("customresponses", custom_responses, archive_in);
+        parseAppsecJSONKey<std::vector<AppsecTriggerSpec>>("log-triggers", log_triggers, archive_in);
+        parseAppsecJSONKey<std::vector<AppSecCustomResponseSpec>>("custom-responses", custom_responses, archive_in);
        parseAppsecJSONKey<std::vector<AppsecExceptionSpec>>("exceptions", exceptions, archive_in);
-        parseAppsecJSONKey<std::vector<TrustedSourcesSpec>>("trustedsources", trusted_sources, archive_in);
+        parseAppsecJSONKey<std::vector<TrustedSourcesSpec>>("trusted-sources", trusted_sources, archive_in);
        parseAppsecJSONKey<std::vector<SourceIdentifierSpecWrapper>>(
-            "sourceidentifiers",
+            "source-identifier",
            sources_identifier,
            archive_in
        );
--- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h
+++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h
@@ -34,7 +34,7 @@ public:
    {
        dbgTrace(D_K8S_POLICY) << "Loading trusted sources spec";
        parseAppsecJSONKey<int>("minNumOfSources", min_num_of_sources, archive_in, 3);
-        parseAppsecJSONKey<std::vector<std::string>>("sourcesIdentifiers", sources_identifiers, archive_in);
+        parseAppsecJSONKey<std::vector<std::string>>("sources-identifiers", sources_identifiers, archive_in);
        parseAppsecJSONKey<std::string>("name", name, archive_in);
    }

@@ -110,7 +110,7 @@ public:
    load(cereal::JSONInputArchive &archive_in)
    {
        dbgTrace(D_K8S_POLICY) << "Loading trusted sources spec";
-        parseAppsecJSONKey<std::string>("sourceIdentifier", source_identifier, archive_in);
+        parseAppsecJSONKey<std::string>("source-identifier", source_identifier, archive_in);
        parseAppsecJSONKey<std::vector<std::string>>("value", value, archive_in);
    }

--- a/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc
+++ b/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc
@@ -28,6 +28,7 @@
 #include <boost/uuid/uuid_generators.hpp>

 #include "rest.h"
+#include "report/report.h"
 #include "debug.h"
 #include "config.h"
 #include "connkey.h"
@@ -1218,27 +1219,10 @@ private:
    LocalPolicyEnv env_type;
    map<string, string> practice_name_to_id_map;

-    bool 
-    isPlaygroundEnv()
-    {
-        string playground_variable = "PLAYGROUND";
-        const char* env_string = getenv(playground_variable.c_str());
-        
-        if (env_string)
-        {
-          string env_value = env_string;
-          std::transform(env_value.begin(), env_value.end(), env_value.begin(), 
-                         [](unsigned char c){ return std::tolower(c); });
-          return env_value == "true";           
-        }
-         
-        return false;
-    }
-
    bool
    getClusterId()
    {
-        string playground_uid = isPlaygroundEnv() ? "playground-" : "";
+        string playground_uid = Report::isPlaygroundEnv() ? "playground-" : "";

        dbgTrace(D_K8S_POLICY) << "Getting cluster UID";
        auto maybe_namespaces_data = getObjectFromCluster<NamespaceData>("/api/v1/namespaces/");
--- a/components/security_apps/orchestration/orchestration_comp.cc
+++ b/components/security_apps/orchestration/orchestration_comp.cc
@@ -596,6 +596,10 @@ private:
                auto team = i_env->get<AudienceTeam>("Audience Team");
                if (team.ok()) audience_team = *team;

+                string agent_uid =
+                    (Report::isPlaygroundEnv() ? "playground-" : "") +
+                    Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getAgentId();
+
                Report policy_update_message(
                    "Agent's policy has been updated",
                    curr_time,
@@ -607,7 +611,7 @@ private:
                    Severity::INFO,
                    Priority::LOW,
                    chrono::seconds(0),
-                    LogField("agentId", Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getAgentId()),
+                    LogField("agentId", agent_uid),
                    Tags::ORCHESTRATOR
                );
                policy_update_message.addToOrigin(LogField("policyVersion", new_policy_version));
--- a/components/signal_handler/signal_handler.cc
+++ b/components/signal_handler/signal_handler.cc
@@ -207,6 +207,9 @@ private:
        }

        set<ReportIS::Tags> tags;
+        string agent_uid =
+            (Report::isPlaygroundEnv() ? "playground-" : "") +
+            Singleton::Consume<I_AgentDetails>::by<SignalHandler>()->getAgentId();
        Report message_to_fog(
            "Nano service startup after crash",
            curr_time,
@@ -218,7 +221,7 @@ private:
            Severity::HIGH,
            Priority::HIGH,
            chrono::seconds(0),
-            LogField("agentId", Singleton::Consume<I_AgentDetails>::by<SignalHandler>()->getAgentId()),
+            LogField("agentId", agent_uid),
            tags,
            Tags::INFORMATIONAL
        );